First published: Fri Apr 26 2024(Updated: )
Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored
Credit: responsibledisclosure@mattermost.com responsibledisclosure@mattermost.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/mattermost/mattermost-server | >=9.4.0<=9.4.4 | 9.4.5 |
go/github.com/mattermost/mattermost-server | >=9.6.0-rc1<=9.6.0 | 9.6.1 |
go/github.com/mattermost/mattermost-server | >=9.5.0<=9.5.2 | 9.5.3 |
go/github.com/mattermost/mattermost-server | >=8.1.0<=8.1.11 | 8.1.12 |
Update Mattermost to versions 9.7.0, 9.6.1, 9.5.3, 9.4.5, 8.1.12 or higher.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.